Skip to content

Dated: 11-11-2024

Ch02 case Study of Enterprise - Small Organization

  • Organizational characteristics:
    • Location: Karachi
    • 70 total staff
    • 10 IT staff
    • 8 servers
    • 1 main DC, no DR site
    • IT service oriented business delivered to banks, telcos, enterprises
  • Organizational culture:
    • Small IT oriented profitable business
    • Mostly chaotic culture with no defined or documented processes
    • Organization lacks discipline (execution)
    • Quality of resources: average
  • IT setup:
    • Windows 2010/2012, Linux server OS
    • ASP.net 4.x, PHP applications (total 10)
    • Windows 8/10 desktops (50+)
    • 1 Cisco ASA FW in DC
    • No DR site or offsite backup
    • Free AV, no AD, no licenses
  • Security posture:
    • Completely absent
    • No hardening done
    • No vulnerability management
    • No security management or governance
    • No policy or staff dedicated for
    • No management commitment (prior)
  • Security requirement:
    • Customers are banks and telcos
    • Desired ISO27001:2013 (ISMS) certification for customer RFPs
  • Driving change ?
    • Executive management facing security questions from top clients
    • COO approaches security consulting company for pen-testing
    • Consultant advises project for security transformation
  • Security transformation project:
    • Project initiation: 2 Mths
    • Layer 1: security hardening of IT assets (6 Mths)
    • Layer 2: VM (1 Mth)
    • Layer 3: security engineering (1 Mth)
    • Layer 4: Governance & ISO cert. (3 Mths)
  • Conclusion:
    • Absence of a process oriented, organized culture makes it difficult for security implementation
    • Adhoc culture is difficult to transform
    • Executive management support and commitment was the success factor